Commit Graph

15494 Commits

Author SHA1 Message Date
Ondřej Surý
5255843f9b Follow the number of CPU set by taskset/cpuset
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S), for example to achieve higher (or more stable) performance
by more closely associating threads with individual NIC rx queues. If
the admin has used taskset, it follows that BIND ought to
automatically use the given number of CPUs rather than the system wide
count.

Co-Authored-By: Ray Bellis <ray@isc.org>
(cherry picked from commit 5a2df8caf5)
2024-09-03 13:52:10 +00:00
Mark Andrews
1be660a1a2 Use atomics to access find->status
(cherry picked from commit a45e39d114)
2024-09-02 03:25:35 +00:00
Mark Andrews
ce6c0c26a0 Use an accessor fuction to access find->status
find->status is marked as private and access is controlled
by find->lock.

(cherry picked from commit c900300f21)
2024-09-02 03:25:35 +00:00
Mark Andrews
b30bff7dee Return partial match when requested
Return partial match from dns_db_find/dns_db_find when requested
to short circuit the closest encloser discover process.  Most of the
time this will be the actual closest encloser but may not be when
there yet to be committed / cleaned up versions of the zone with
names below the actual closest encloser.

(cherry picked from commit d42ea08f16)
2024-08-29 21:40:16 +00:00
Mark Andrews
a39b4552a9 Move lock earlier in the call sequence
fctx->state should be read with the lock held.

    1559        /*
    1560         * Caller must be holding the fctx lock.
    1561         */

    CID 468796: (#1 of 1): Data race condition (MISSING_LOCK)
    1. missing_lock: Accessing fctx->state without holding lock fetchctx.lock.
       Elsewhere, fetchctx.state is written to with fetchctx.lock held 2 out of 2 times.
    1562        REQUIRE(fctx->state == fetchstate_done);
    1563
    1564        FCTXTRACE("sendevents");
    1565
    1566        LOCK(&fctx->lock);
    1567

(cherry picked from commit 43f0b0e8eb)
2024-08-29 12:46:43 +00:00
Ondřej Surý
619d21b57c Stop using malloc_usable_size and malloc_size
Although the nanual page of malloc_usable_size says:

    Although the excess bytes can be over‐written by the application
    without ill effects, this is not good programming practice: the
    number of excess bytes in an allocation depends on the underlying
    implementation.

it looks like the premise is broken with _FORTIFY_SOURCE=3 on newer
systems and it might return a value that causes program to stop with
"buffer overflow" detected from the _FORTIFY_SOURCE.  As we do have own
implementation that tracks the allocation size that we can use to track
the allocation size, we can stop relying on this introspection function.

Also the newer manual page for malloc_usable_size changed the NOTES to:

    The value returned by malloc_usable_size() may be greater than the
    requested size of the allocation because of various internal
    implementation details, none of which the programmer should rely on.
    This function is intended to only be used for diagnostics and
    statistics; writing to the excess memory without first calling
    realloc(3) to resize the allocation is not supported.  The returned
    value is only valid at the time of the call.

Remove usage of both malloc_usable_size() and malloc_size() to be on the
safe size and only use the internal size tracking mechanism when
jemalloc is not available.

(cherry picked from commit d61712d14e)
2024-08-26 18:27:01 +00:00
Aram Sargsyan
c90aa16929 Exempt prefetches from the fetches-per-server quota
Give prefetches a free pass through the quota so that the cache
entries for popular zones could be updated successfully even if the
quota for is already reached.

(cherry picked from commit c7e8b7cf63)
2024-08-26 15:54:02 +00:00
Aram Sargsyan
d96fca478a Exempt prefetches from the fetches-per-zone quota
Give prefetches a free pass through the quota so that the cache entry
for a popular zone could be updated successfully even if the quota for
it is already reached.

(cherry picked from commit cada2de31f)
2024-08-26 15:54:01 +00:00
Mark Andrews
1f1440c1b9 Check key tag range when matching dnssec keys to kasp keys
(cherry picked from commit 035289be71)
2024-08-23 08:05:16 +10:00
Mark Andrews
e3dedfb981 Add optional range directive to keys in dnssec-policy
(cherry picked from commit c5bc0a1805)
2024-08-23 08:05:16 +10:00
Mark Andrews
a5c3e3b9f7 Add the concept of allowed key tag ranges to kasp
(cherry picked from commit 25bf77fac6)
2024-08-23 07:44:13 +10:00
Matthijs Mekking
d0db5c07f8 Fix algorithm rollover bug wrt keytag conflicts
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.

Fix this by not only checking for matching key id but also key
algorithm.

(cherry picked from commit f37eb33f29)
2024-08-22 12:58:00 +00:00
Matthijs Mekking
f4624281dc Disable some behavior in offline-ksk mode
Some things we no longer want to do when we are in offline-ksk mode.

1. Don't check for inactive and private keys if the key is a KSK.
2. Don't update the TTL of DNSKEY, CDS and CDNSKEY RRset, these come
   from the SKR.

(cherry picked from commit 2e3068ed60)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
282d32c3d8 Retrieve RRSIG from SKR
When it is time to generate a new signature (dns_dnssec_sign), rather
than create a new one, retrieve it from the SKR.

(cherry picked from commit 61cf599fbf)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
75f7118a92 Don't read private key files for offline KSKs
When we are appending contents of a DNSKEY rdataset to a keylist,
don't attempt to read the private key file of a KSK when we are in
offline-ksk mode.

(cherry picked from commit 30d20b110e)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
56814221fd Update key states in offline-ksk mode
With offline-ksk enabled, we don't run the keymgr because the key
timings are determined by the SKR. We do update the key states but
we derive them from the timing metadata.

Then, we can skip a other tasks in offline-ksk mode, like DS checking
at the parent and CDS synchronization, because the CDS and CDNSKEY
RRsets also come from the SKR.

(cherry picked from commit 2190aa904f)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
6f6d000103 Apply SKR bundle on rekey
When a zone has a skr structure, lookup the currently active bundle
that contains the right key and signature material.

(cherry picked from commit 63e058c29e)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
f516e461fd Implement SKR import
When 'rndc skr import' is called, read the file contents and store the
data in the zone's skr structure.

(cherry picked from commit 037382c4a5)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
27fd4e5687 Add code to store SKR
This added source code stores SKR data. It is loosely based on:
https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt

A SKR contains a list of signed DNSKEY RRsets. Each change in data
should be stored in a separate bundle. So if the RRSIG is refreshed that
means it is stored in the next bundle. Likewise, if there is a new ZSK
pre-published, it is in the next bundle.

In addition (not mentioned in the draft), each bundle may contain
signed CDS and CDNSKEY RRsets.

Each bundle has an inception time. These will determine when we need
to re-sign or re-key the zone.

(cherry picked from commit 445722d2bf)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
40bd74b182 Add offline-ksk option
Add a new configuration option to enable Offline KSK key management.

Offline KSK cannot work with CSK because it splits how keys with the
KSK and ZSK role operate. Therefore, one key cannot have both roles.
Add a configuration check to ensure this.

(cherry picked from commit 0598381236)
2024-08-22 10:17:08 +00:00
Ondřej Surý
46069fe5c7 Use clang-format-19 to update formatting
This is purely result of running:

    git-clang-format-19 --binary clang-format-19 origin/main

(cherry picked from commit 7b756350f5)
2024-08-22 08:16:03 +00:00
Nicki Křížek
ac11357466 Merge tag 'v9.20.1' into bind-9.20 2024-08-21 16:32:33 +02:00
Aram Sargsyan
2353771253 Process also the ISC_R_CANCELED result code in rpz_rewrite()
Log  canceled queries (e.g. when shutting down a hung fetch)
in DEBUG3 level instead of DEBUG1 which is used for the
"unrecognized" result codes.

(cherry picked from commit 8bb9568467)
2024-08-19 13:56:27 +00:00
Ondřej Surý
97a9e4711c Remove code to read and parse /proc/net/if_inet6 on Linux
The getifaddr() works fine for years, so we don't have to
keep the callback to parse /proc/net/if_inet6 anymore.

(cherry picked from commit 2fbf9757b8)
2024-08-19 11:49:56 +00:00
Ondřej Surý
2a0454f881 Ignore errno returned from rewind() in the interface iterator
The clang-scan 19 has reported that we are ignoring errno after the call
to rewind().  As we don't really care about the result, just silence the
error, the whole code will be removed in the development version anyway
as it is not needed.

(cherry picked from commit dda5ba53df)
2024-08-19 11:49:56 +00:00
Ondřej Surý
530f1dd913 Check the result of dirfd() before calling unlinkat()
Instead of directly using the result of dirfd() in the unlinkat() call,
check whether the returned file descriptor is actually valid.  That
doesn't really change the logic as the unlinkat() would fail with
invalid descriptor anyway, but this is cleaner and will report the right
error returned directly by dirfd() instead of EBADF from unlinkat().

(cherry picked from commit 59f4fdebc0)
2024-08-19 10:03:08 +00:00
Ondřej Surý
dc4c0397eb Use constexpr for NS_PER_SEC and friends constants
The contexpr introduced in C23 standard makes perfect sense to be used
instead of preprocessor macros - the symbols are kept, etc.  Define
ISC_CONSTEXPR to be `constexpr` for C23 and `static const` for the older
C standards.  Use the newly introduced macro for the NS_PER_SEC and
friends time constants.

(cherry picked from commit 122a142241)
2024-08-19 09:10:04 +00:00
Ondřej Surý
27a7647559 Change the NS_PER_SEC (and friends) from enum to static const
New version of clang (19) has introduced a stricter checks when mixing
integer (and float types) with enums.  In this case, we used enum {}
as C17 doesn't have constexpr yet.  Change the time conversion constants
to be static const unsigned int instead of enum values.

(cherry picked from commit b03e90e0d4)
2024-08-19 09:10:04 +00:00
Aram Sargsyan
864d55081e Check if logconfig is NULL before using it in isc_log_doit()
Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(),
because it's possible that isc_log_destroy() was already called, e.g.
when a 'call_rcu' function wants to log a message during shutdown.

(cherry picked from commit 656e04f48a)
2024-08-15 14:27:29 +00:00
Ondřej Surý
2f1205443e Silence all warnings that stem from the default config
As we now setup the logging very early, parsing the default config would
always print warnings about experimental (and possibly deprecated)
options in the default config.  This would even mess with commands like
`named -V` and it is also wrong to warn users about using experimental
options in the default config, because they can't do anything about
this.  Add CFG_PCTX_NODEPRECATED and CFG_PCTX_NOEXPERIMENTAL options
that we can pass to cfg parser and silence the early warnings caused by
using experimental options in the default config.

(cherry picked from commit 86f1ec34dc)
2024-08-15 12:10:02 +00:00
Ondřej Surý
14302330f4 Skip already rehashed positions in the old hashmap table
When iterating through the old internal hashmap table, skip all the
nodes that have been already migrated to the new table.  We know that
all positions with index less than .hiter are NULL.

(cherry picked from commit 3e4d153453)
2024-08-15 12:09:28 +00:00
Ondřej Surý
61b88c56cd Fix the assertion failure in the isc_hashmap iterator
When the round robin hashing reorders the map entries on deletion, we
were adjusting the iterator table size only when the reordering was
happening at the internal table boundary.  The iterator table size had
to be reduced by one to prevent seeing the entry that resized on
position [0] twice because it migrated to [iter->size - 1] position.

However, the same thing could happen when the same entry migrates a
second time from [iter->size - 1] to [iter->size - 2] position (and so
on) because the check that we are manipulating the entry just in the [0]
position was insufficient.  Instead of checking the position [pos == 0],
we now check that the [pos % iter->size == 0], thus ignoring all the
entries that might have moved back to the end of the internal table.

(cherry picked from commit acdc57259f)
2024-08-15 12:09:28 +00:00
Aram Sargsyan
db1162cffe Reconfigure catz member zones during named reconfiguration
During a reconfiguration named doesn't reconfigure catalog zones
member zones. Implement the necessary code to reconfigure catz
member zones.

(cherry picked from commit fd71ed5d73ae2dc968e8782ce652fb8ef257c25e)
2024-08-13 16:57:50 +02:00
Ondřej Surý
afb345b0e8 Don't skip the counting if fcount_incr() is called with force==true (v2)
The fcount_incr() was not increasing counter->count when force was set
to true, but fcount_decr() would try to decrease the counter leading to
underflow and assertion failure.  Swap the order of the arguments in the
condition, so the !force is evaluated after incrementing the .count.

(cherry picked from commit 8e86e55af1)
2024-08-13 16:08:12 +02:00
Evan Hunt
053e01b9f0 implement 'max-query-restarts'
implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.

(cherry picked from commit 104f3b82fb)
2024-08-07 21:12:34 +00:00
Evan Hunt
5e1e33da6f reduce the max-recursion-queries default to 32
the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.

(cherry picked from commit 7e3b425dc2)
2024-08-07 21:12:34 +00:00
Evan Hunt
74d94707cd make "max_restarts" a configurable value
MAX_RESTARTS is no longer hard-coded; ns_server_setmaxrestarts()
and dns_client_setmaxrestarts() can now be used to modify the
max-restarts value at runtime. in both cases, the default is 11.

(cherry picked from commit c5588babaf)
2024-08-07 21:12:34 +00:00
Evan Hunt
be3b660e54 reduce MAX_RESTARTS to 11
the number of steps that can be followed in a CNAME chain
before terminating the lookup has been reduced from 16 to 11.
(this is a hard-coded value, but will be made configurable later.)

(cherry picked from commit 05d78671bb)
2024-08-07 21:12:34 +00:00
Evan Hunt
d201355739 add debug logging when creating or attaching to a query counter
fctx_create() now logs at debug level 9 when the fctx attaches
to an existing counter or creates a new one.

(cherry picked from commit 825f3d68c5)
2024-08-07 21:12:34 +00:00
Evan Hunt
6c941eda7e apply max-recursion-queries quota to validator queries
previously, validator queries for DNSKEY and DS records were
not counted toward the quota for max-recursion-queries; they
are now.

(cherry picked from commit af7db89513)
2024-08-07 21:12:34 +00:00
Evan Hunt
3fd795d84d attach query counter to NS fetches
there were cases in resolver.c when queries for NS records were
started without passing a pointer to the parent fetch's query counter;
as a result, the max-recursion-queries quota for those queries started
counting from zero, instead of sharing the limit for the parent fetch,
making the quota ineffective in some cases.

(cherry picked from commit d3b7e92783)
2024-08-07 21:12:34 +00:00
Ondřej Surý
bbf34c0604 Disassociate the SSL object from the cached SSL_SESSION
When the SSL object was destroyed, it would invalidate all SSL_SESSION
objects including the cached, but not yet used, TLS session objects.

Properly disassociate the SSL object from the SSL_SESSION before we
store it in the TLS session cache, so we can later destroy it without
invalidating the cached TLS sessions.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Artem Boldariev <artem@isc.org>
Co-authored-by: Aram Sargsyan <aram@isc.org>
(cherry picked from commit c11b736e44)
2024-08-07 15:25:29 +00:00
Ondřej Surý
c6daaa4b8c Attach/detach to the listening child socket when accepting TLS
When TLS connection (TLSstream) connection was accepted, the children
listening socket was not attached to sock->server and thus it could have
been freed before all the accepted connections were actually closed.

In turn, this would cause us to call isc_tls_free() too soon - causing
cascade errors in pending SSL_read_ex() in the accepted connections.

Properly attach and detach the children listening socket when accepting
and closing the server connections.

(cherry picked from commit 684f3eb8e6)
2024-08-07 15:16:50 +00:00
Ondřej Surý
46cfebac58 Fix the glue table in the QP and RBT zone databases
When adding glue to the header, we add header to the wait-free stack to
be cleaned up later which sets wfc_node->next to non-NULL value.  When
the actual cleaning happens we would only cleanup the .glue_list, but
since the database isn't locked for the time being, the headers could be
reused while cleaning the existing glue entries, which creates a data
race between database versions.

Revert the code back to use per-database-version hashtable where keys
are the node pointers.  This allows each database version to have
independent glue cache table that doesn't affect nodes or headers that
could already "belong" to the future database version.

(cherry picked from commit 5beae5faf9)
2024-08-05 14:43:18 +00:00
Evan Hunt
b4fc8e6294 minor findnode optimization
when searching the cache for a node so that we can delete an
rdataset, it is not necessary to set the 'create' flag. if the
node doesn't exist yet, we then we won't be able to delete
anything from it anyway.

(cherry picked from commit 6b720bfe1a)
2024-08-05 14:25:17 +00:00
Evan Hunt
f840b44401 raise the log level of priming failures
when a priming query is complete, it's currently logged at
level ISC_LOG_DEBUG(1), regardless of success or failure. we
are now raising it to ISC_LOG_NOTICE in the case of failure.

(cherry picked from commit a84d54c6ff)
2024-08-05 13:06:54 +00:00
Ondřej Surý
b0ba2b72e6 Call rcu_barrier() in the isc_mem_destroy() just once
The previous work in this area was led by the belief that we might be
calling call_rcu() from within call_rcu() callbacks.  After carefully
checking all the current callback, it became evident that this is not
the case and the problem isn't enough rcu_barrier() calls, but something
entirely else.

Call the rcu_barrier() just once as that's enough and the multiple
rcu_barrier() calls will not hide the real problem anymore, so we can
find it.

(cherry picked from commit 13941c8ca7)
2024-08-05 11:39:30 +00:00
Ondřej Surý
506138ec0f Fix the assertion failure when putting 48-bit number to buffer
When putting the 48-bit number into a fixed-size buffer that's exactly 6
bytes, the assertion failure would occur as the 48-bit number is
internally represented as 64-bit number and the code was checking if
there is enough space for `sizeof(val)`.  This causes assertion failure
when otherwise valid TSIG signature has a bad timing information.

Specify the size of the argument explicitly, so the 48-bit number
doesn't require 8-byte long buffer.

(cherry picked from commit 37dbd57c16)
2024-08-05 11:11:40 +00:00
Ondřej Surý
36265057f9 Don't open route socket if we don't need it
When automatic-interface-scan is disabled, the route socket was still
being opened.  Add new API to connect / disconnect from the route socket
only as needed.

Additionally, move the block that disables periodic interface rescans to
a place where it actually have access to the configuration values.
Previously, the values were being checked before the configuration was
loaded.

(cherry picked from commit b26079fdaf)
2024-08-05 10:17:08 +00:00
Ondřej Surý
6df4fa58fd Don't skip the counting if fcount_incr() is called with force==true
The fcount_incr() was incorrectly skipping the accounting for the
fetches-per-zone if the force argument was set to true.  We want to skip
the accounting only when the fetches-per-zone is completely disabled,
but for individual names we need to do the accounting even if we are
forcing the result to be success.

(cherry picked from commit a513d4c07f)
2024-08-05 09:40:25 +00:00